Limiting Traffic Within a User VLAN

janiax · ‎05-22-2019

Imagine a user VLAN and tens of users with laptops connected to it.
If any of the laptops get infected by a warm or ransomware, it can spread out through the whole user VLAN as these laptops see each other on the single broadcast domain.

Generally speaking laptops in a dedicated user VLAN on a company network do not need to communicate directly with each other, right? Neither Bob nor Alice would need to ever act as a server considering standard user communication, so why Bob would need to be able to directly reach Alice or Alice directly reach Bob?

Is it possible to achieve that none of these laptops within the user VLAN would be able to communicate with each other?
The goal would be to limit their traffic just to user VLAN DG uplink - a single interface, or aggregated interface.
That way the user VLAN would be protected against malware that would be trying to infect other laptops on the network, if one get infected.

Is it possible to achive this with Private VLANs?
Does this even make sense? If it doesn't, why?

Many thanks for your replies, I am looking forward to see some nice discussion.

Giuseppe Larosa · ‎05-22-2019

Hello Janiax,

>> Is it possible to achieve this with Private VLANs?

Yes you will have a primary Vlan and a secondary of type Isolated.

All Pc ports will be associated to secondary Vlan.

The SVI interface will be in the primary Vlan.

To avoid some types of attacks that send traffic to the legitimate gateway to overcome the isolation you should use an ACL on the SVI that denies traffic with source and destination on the same Ip subnet of the Vlan and with an additional line to permit access from source the IP subnet of the Vlan and destination any.

Printers should be in the primary Vlan (promiscous ports ) and also file servers or shares if any.

However, depending on the human users they may be using some direct communication.

So this approach is technically feasible but it is not well suited for all environments.

More modern approach is to use 802.1X authentication combined with Network Access Control that can move the infected PC in a quarantine Vlan isolated from all L3 services.

Again, this may be too heavy in a small / medium enterprise to deploy.

Hope to help

Giuseppe

janiax · ‎05-23-2019

Hello Giuseppe,

Many thanks for your answer!

The SVI interface will be in the primary Vlan.
>we have the SVIs on firewall, where the network is being segmented, I would not need to adjust anything on the firewall level, right? it would just use the current primary VLAN and would not even know about the secondary isolvated VLAN.

To avoid some types of attacks that send traffic to the legitimate gateway to overcome the isolation you should use an ACL on the SVI that denies traffic with source and destination on the same Ip subnet
>how could you overcome this isolation? If an attacker would like to infect other users on the same LAN, but computers on the same LAN would not be able to communicate directly, he would need to first direct the traffic to a remote network and on the device that connects the remote network set that this traffic would go back to the LAN, that he tries to infect.

My point is, that when you communicate on LAN, you do not go to the DG by definition, but maybe I am missing something.

Hope this makes sense.

Cheers,
Jan

Joseph W. Doherty · ‎05-22-2019

"Is it possible to achive this with Private VLANs?"

Yes.

"Does this even make sense? If it doesn't, why?"

Perhaps. If hosts truly have no need for host-to-host L2 communication, it may make sense but consider those hosts might still infect other hosts via L3, rather that L2. Because of this, PVLANs are more likely used in a DMZ, where the traffic to/from that network passes through a FW which better secures the L3 aspect.

janiax · ‎05-23-2019

If hosts truly have no need for host-to-host L2 communication, it may make sense but consider those hosts might still infect other hosts via L3

Could you think of a situation, where these hosts would have to be able to directly communicate on L2?
What network protocols would be limited by this restriction? I can think only of ARP, but that does not matter, as I would need only access to DG, so the link connecting the DG would be in promiscuous mode.

I want the avoid malware spreading on a User VLAN, among user laptops, meaning that the communication would never need to reach L3, as we are talking about the same local network. Of course, when it comes to remote network, malware could be spreading via L3, but consider that in other networks, there would not be any for example Windows 10 machines, which the malware would target, but rather servers running on some kind of a Linux distribution or Windows Servers, printers and stuff like that.

Imagine that malware passes through all upper-layer inspections and actually infects a user's computer.
This worm-like malware would try to spread to other user's computers on local network.
As users's computers would not be able to communicate directly on local network, malware would be able to successfully infect only a single host, and user data would stay protected on other computers.
This is exactly what I would like to achieve, or at least explore this possibility.

We are currently redesigning our company network and this just came across my mind.

Many thanks for your time and answer.

Joseph W. Doherty · ‎05-23-2019

"Could you think of a situation, where these hosts would have to be able to directly communicate on L2?"

Off-the-top-of-my-head, no, I cannot.

However, what might happen, two years from now some new application is installed and for some reason it doesn't work, due to this blockage caused by PVLANs, and of course, no one then remember it having been done. ;)